Slashdot Mirror
Mozilla Says It Erred On SSL Attack Disclosure
Trailrunner7 writes "Just days after news emerged of the attack on a registration authority in Europe tied to Comodo that caused the revocation of a number of fraudulent certificates from the major browsers, Mozilla officials have admitted they made a mistake by not disclosing the details of the incident to its users earlier. 'In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.'"
Yeah except if the situation had been reversed and Microsoft had done what Mozilla did. Then there would be pitchforks about how Microsoft was being evil. But, no, this time it was Mozilla and they can just do no wrong.
There's DNSSEC, which more and more ISP's and registries support. Then, if someone managed to hijack a certificate he/she would also have to spoof google's IP.
Why is a US based CA inherently more trustworthy than one from Turkey? Fact of the matter is, TURKTRUST has a perfect security record, while Comodo is just the latest in a long line of breaches of US CAs. And even if that wasn't the case, it's still completely irrelevant to this breach. You can't possibly claim that a major browser should not have Comodo enabled by default, unless you're making the asinine claim that no CAs should be enabled by default.
There's DNSSEC, which more and more ISP's and registries support. Then, if someone managed to hijack a certificate he/she would also have to spoof google's IP.
Here here! The difference the CAs will tell you is they verify and identify the organization rather than the domain name...
Poser = "mcdnalds.com"
Ronald = "mcdonalds.com"
The reality seems to be more CAs continue to make the process easier and easier to increasingly enrich themselves without having to do much to show for it in return... Now many offer a completely automated process to instantly obtain a cert...WTF?!?!?!
In my view the system would be better off if we all got SSL certs with our DNS names and then come up with a process where CAs shift exclusivly to verification of identity.. such that access to mcdnalds.com and mcdonalds.com is secure however the user would also know through a browser display that mcdonalds.com has been verified as belonging to Ronald while mcdnalds.com has not.
You can also not bother using CRLs, and just use OCSP, which is turned on by default (EV certificates require it or else the browser won't display the "green bar").
As it does live checks on only the certificates presented right then, rather than downloading the whole CRL at intervals, OCSP uses less network resources for both you and the CA, updates faster (CRLs update every few days), and is generally superior in all ways. Like CRLs, OCSP responses are signed by the CA that issued them, and so cannot be tampered with.
You can even have your browser set to not trust the certificate presented if the OCSP query fails, which is a good fail-safe. I wish there was a "warn if OCSP check fails" option, rather than "fail silently and allow connection to proceed if OCSP fails" and "fail noisily and not work if OCSP fails". The former leaves people vulnerable, while the latter presents DoS attack targets.
Pushing out OS and browser updates to manually revoke those certificates is not a bad idea, particularly for those who have OCSP disabled for whatever reason, but there's not really any reason to manually install CRLs when OCSP exists.
Admitting it was a mistake rather than coming up with some bogus excuse gives them points in my book. Whether the decision was by marketing or just company policy it at least suggests they have one or two competent people over there.
Mozilla was the first browser vendor to patch. SURE they could have told us exactly what they were patching, but they erred on the side of caution. The fact that they want to be OPEN about everything is just a bonus and it's what differentiates Mozilla from every other browser vendor.